Rogue anti-virus up and Kelihos botnet is back

Kelihos was taken down last year through the combined efforts of Microsoft and Kaspersky Labs. Earlier this year Microsoft accused Russian Andrey Sabelnikov of being the mastermind behind Kelihos. He was at the time in the US, but quickly returned to Russia declaring his innocence. Since then, but with nothing to suggest any current involvement from Sabelnikov, “evidence uncovered by industry experts suggests that a new variant is on the loose, rebuilding the botnet and adding to the global spam burden,” writes GFI. The Kelihos botnet, says GFI, is capable of sending billions of spam messages in a single day usually relating to “pornography, Viagra, and fake pharmaceutical companies.”

GFI’s report also highlights a number of separate high profile incidents during February. These include the discovery that Twilight author Stephanie Meyer was a zombie; that is, her personal website had been compromised and was hosting the Crimepack exploit pack, potentially infecting any visitors using an unpatched browser. Gamers were targeted via a YouTube video that claimed to help generate free Microsoft Points – the online currency for Xbox users. And Victoria’s Secret was targeted with a gift card scam via a fake Tumblr blog.

But of special note to GFI is the continuing growth of fake anti-virus. Many of these are being distributed via spam containing malicious links to the Blackhole exploit kit. If a visitor is tricked into clicking one of these links, it leads to Blackhole which then scans the PC looking for a range of unpatched vulnerabilities. If successful, the visitor is infected with a false anti-virus trojan. This pretends to scan the computer and pretends to find viruses; and the user is pressured into buying the full cleansing kit. Needless to say, if the victim does hand over bank details to pay for the rogue product it is more likely that the bank account will be cleansed of money than the computer cleansed of viruses.

These fake AV trojans, like many others, are particularly difficult to detect. “Rogue AV utilities are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours,” writes GFI. “While the velocity at which rogues were successfully propagating may have slowed toward the end of last year,” says Christopher Boyd, senior threat researcher at GFI Software, “they are certainly back now – and they remain a popular tactic among cybercriminals. Users should not let their guard down. As always – no matter how convincing they look – always take the time to evaluate any piece of software that claims your PC is infected, prompts you for a credit card number or asks you to share any sensitive data, especially if it’s software that you or your employer did not install.”